{{org_field_logo}}
{{org_field_name}}
Registration Number: {{org_field_registration_no}}
Accessing Staff Data – UK GDPR, Data Protection and Confidentiality Policy
1. Purpose
The purpose of this policy is to ensure that {{org_field_name}} manages staff personal data lawfully, fairly, transparently and securely in accordance with the UK General Data Protection Regulation, the Data Protection Act 2018, the Data (Use and Access) Act 2025 where in force, and all applicable Scottish social care regulatory requirements. This policy applies to how staff data is collected, accessed, used, shared, stored, retained and securely destroyed. It supports safe recruitment, workforce regulation, effective care governance, confidentiality, accountability and the protection of staff rights.
Our commitments include:
- Ensuring staff personal data is processed lawfully, fairly, and transparently.
- Implementing appropriate security measures to protect personal data from unauthorised access.
- Providing staff with clear information on how their data is collected, used, and stored.
- Granting access to staff data only where necessary and with appropriate authorisation.
- Enabling staff to exercise their data rights under GDPR.
- Ensuring that staff data is only accessed on a need-to-know basis and that all access is proportionate, authorised, auditable and linked to a legitimate employment, regulatory, safeguarding, payroll, training, supervision or service-management purpose.
2. Scope
This policy applies to all staff personal data processed by {{org_field_name}}, including data relating to:
- employees, workers, bank staff, volunteers, agency workers, students, contractors and applicants for employment;
- registered managers, directors, nominated persons and responsible individuals where their information is processed for employment, regulatory or governance purposes;
- HR, payroll, finance, rostering, training, supervision, quality assurance and management personnel who handle staff data;
- IT personnel and external system providers who may host, maintain or support systems containing staff data;
- third-party processors, including payroll providers, HR software providers, occupational health providers, training platforms, pension providers, insurers, legal advisers and cloud storage providers;
- regulatory and statutory bodies, including the Care Inspectorate, the Scottish Social Services Council, Disclosure Scotland, HMRC, pension providers, law enforcement bodies and other authorities where disclosure is lawful and necessary.
This policy applies to staff data held in paper files, electronic files, emails, HR systems, payroll systems, rostering systems, training systems, supervision records, messaging systems, mobile devices, cloud storage, archived records and backup systems.
3. Legal and Regulatory Framework
This policy aligns with the following legislation, regulatory requirements, standards and guidance, where applicable:
- UK General Data Protection Regulation;
- Data Protection Act 2018;
- Data (Use and Access) Act 2025, where provisions are in force;
- Privacy and Electronic Communications Regulations, where applicable;
- Public Services Reform (Scotland) Act 2010;
- Social Care and Social Work Improvement Scotland (Requirements for Care Services) Regulations 2011;
- Social Care and Social Work Improvement Scotland (Registration) Regulations 2011;
- Regulation of Care (Scotland) Act 2001, where relevant to SSSC Codes and workforce regulation;
- Scottish Social Services Council Codes of Practice for Social Service Workers and Employers, 2024 edition;
- Protection of Vulnerable Groups (Scotland) Act 2007;
- Disclosure (Scotland) Act 2020 and related commencement regulations;
- Rehabilitation of Offenders Act 1974 and applicable Scottish exceptions and exclusions legislation;
- Equality Act 2010;
- Health and Safety at Work etc. Act 1974;
- Working Time Regulations 1998;
- Employment Rights Act 1996;
- HMRC PAYE and payroll record-keeping requirements;
- Care Inspectorate guidance on records registered care services must keep and notifications they must make;
- ICO employment practices and data protection guidance.
The Freedom of Information (Scotland) Act 2002 applies only where {{org_field_name}} is a Scottish public authority or is otherwise legally subject to freedom of information obligations. Where the Act does not apply directly, {{org_field_name}} will still cooperate with lawful information requests from commissioners, regulators and statutory bodies.
4. Lawful Processing of Staff Data
{{org_field_name}} will only process staff personal data where there is a lawful basis under Article 6 of the UK GDPR. The lawful basis will depend on the purpose of processing and may include:
- Contractual necessity – where processing is necessary to enter into or perform an employment, worker, volunteer, contractor or agency arrangement, including payroll, duties, working hours, benefits and management of employment records.
- Legal obligation – where processing is necessary to comply with employment law, tax law, pension duties, health and safety duties, PVG/disclosure requirements, SSSC registration requirements, Care Inspectorate requirements, safeguarding obligations, regulatory reporting or court/legal obligations.
- Legitimate interests – where processing is necessary for legitimate organisational purposes, including workforce planning, supervision, training, rota management, service continuity, quality assurance, audit, investigation, information security, fraud prevention and the defence of legal claims, except where overridden by the rights and freedoms of the individual.
- Vital interests – where processing is necessary to protect someone’s life or respond to a serious emergency.
- Public task – where applicable to commissioned or statutory functions and only where {{org_field_name}} is exercising functions in the public interest or under official authority.
- Consent – only where consent is freely given, specific, informed and capable of being withdrawn without detriment. Consent will not normally be relied upon for core employment processing because of the imbalance of power between employer and worker. It may be used for genuinely optional activities, such as staff photographs for promotional materials.
Where {{org_field_name}} processes special category data, such as health information, disability information, sickness records, occupational health information, trade union information, biometric data, racial or ethnic origin, religious or philosophical belief, or sexual orientation, it will identify both a lawful basis under Article 6 and a separate condition under Article 9 of the UK GDPR. This may include employment, social security and social protection law obligations; occupational medicine; assessment of working capacity; health and safety obligations; equality monitoring; safeguarding; legal claims; or explicit consent where appropriate.
Where {{org_field_name}} processes criminal offence data, including PVG, disclosure, barring, conviction or fitness-to-practise information, it will do so only where authorised by law and where necessary for safe recruitment, ongoing suitability checks, safeguarding, regulatory compliance, employment decisions or protection of people receiving care.
4.1 Staff Privacy Notice and Transparency
{{org_field_name}} will provide staff, workers, applicants, volunteers and contractors with clear privacy information explaining how their personal data is collected, used, shared, retained and protected. This information will normally be provided through a staff privacy notice at recruitment, induction and whenever there is a significant change to how staff data is processed.
The staff privacy notice will include:
- the identity and contact details of {{org_field_name}} as data controller;
- contact details for the Data Protection Officer or person responsible for data protection;
- the categories of staff data processed;
- the purposes and lawful bases for processing;
- the Article 9 conditions used for special category data;
- the lawful basis for processing criminal offence, PVG and disclosure information;
- who staff data may be shared with;
- details of any processors or external systems used;
- international transfer information, where applicable;
- · retention periods or criteria used to decide retention;
- · staff data rights;
- · how staff can complain internally and to the ICO.
5. Categories of Staff Data Collected
{{org_field_name}} may collect and process the following categories of staff data where necessary and proportionate:
- Personal identification and contact data – name, address, date of birth, personal contact details, emergency contact details, national insurance number and identity documents.
- Recruitment and suitability data – application forms, CVs, interview notes, references, right-to-work evidence, employment history, gaps in employment, qualifications, professional registration details, PVG scheme membership, disclosure information, barring information, fitness-to-practise information and recruitment decision records.
- Employment and HR records – contracts, job descriptions, terms and conditions, induction records, probation records, supervision records, appraisal records, performance records, conduct records, disciplinary records, grievance records, capability records, absence records and records of employment changes.
- Payroll, pension and financial data – salary, wages, tax codes, PAYE information, pension contributions, bank details, expenses, benefits, student loan deductions, attachment of earnings and payroll correspondence.
- Health, wellbeing and occupational health data – sickness absence, occupational health referrals and reports, disability information, reasonable adjustments, pregnancy-related information, accident-at-work records, health surveillance records and information relevant to fitness to work.
- Equality and diversity monitoring data – information used for equality monitoring, inclusion and legal compliance, where collected.
- Training, competency and regulatory compliance records – qualifications, mandatory training, continuous professional learning, SSSC registration, registration conditions, supervision, competency assessments and evidence of learning and development.
- Rota, attendance and service delivery data – rotas, timesheets, visit logs, electronic call monitoring records, mileage, lone-working records and records required to evidence safe staffing and service continuity.
- IT, communications and security data – system usernames, access permissions, audit logs, email records, device records, CCTV images where used lawfully, incident logs, information security records and records of access to care or staff systems.
- Investigation and safeguarding data – records relating to complaints, allegations, accidents, incidents, whistleblowing, safeguarding concerns, regulatory enquiries, police enquiries, SSSC referrals, Care Inspectorate enquiries or internal investigations.
{{org_field_name}} will not collect more staff data than is necessary for the specified purpose and will keep staff data accurate and up to date.
5.1 PVG, Disclosure Scotland and SSSC Registration Data
For roles that are regulated roles with children, protected adults, or both, {{org_field_name}} will ensure that the individual has appropriate PVG scheme membership before carrying out that regulated role. PVG and disclosure information will only be accessed by authorised staff, used for safe recruitment, suitability, safeguarding and regulatory compliance purposes, and retained only for as long as necessary.
{{org_field_name}} will record the outcome of PVG and disclosure checks, the date checked, the role type, the decision made, any risk assessment completed, and any restrictions or conditions required. Full disclosure certificates or detailed vetting information will not be copied or retained unless there is a lawful, necessary and proportionate reason to do so.
Where a role requires SSSC registration, {{org_field_name}} will check and record registration status, conditions, renewal requirements and any relevant fitness-to-practise restrictions. Any concerns about a worker’s fitness to practise will be handled in line with the SSSC Codes of Practice, safeguarding procedures, disciplinary procedures and regulatory reporting duties.
6. Data Access and Authorisation
Access to staff data is strictly controlled and based on the principles of confidentiality, least privilege, need-to-know access, role-based access and accountability.
Staff data may only be accessed where access is necessary for a legitimate and authorised purpose. Access must be proportionate to the role and limited to the minimum information required.
Authorised access may include:
- HR and payroll personnel – access to recruitment, contracts, payroll, absence, performance, disciplinary, grievance, pension, benefits and employment records where required for their role.
- Registered Manager, service managers and authorised line managers – access to information required to manage performance, supervision, absence, conduct, capability, rota planning, safe staffing, training and service delivery.
- Training and compliance leads – access to training, qualification, competency, SSSC registration and compliance records.
- IT administrators – limited access required for account administration, system maintenance, cyber security, audit logs, access controls and incident response. IT staff must not access HR content unless this is necessary and authorised.
- Directors, responsible individuals or senior leaders – access where required for governance, legal compliance, safeguarding, regulatory enquiries, workforce planning, investigations or serious incidents.
- External processors – access only under a written contract or data processing agreement and only for the agreed processing purpose.
- Regulatory and statutory bodies – access or disclosure where lawful and necessary, including to the Care Inspectorate, SSSC, Disclosure Scotland, HMRC, pension providers, insurers, courts, law enforcement agencies or safeguarding authorities.
Staff must not access their own HR record, another worker’s record, or any colleague’s personal data through care, HR, rota, payroll or IT systems unless expressly authorised to do so. Unauthorised access, browsing, sharing, downloading, photographing, copying or disclosure of staff data may be treated as misconduct or gross misconduct.
{{org_field_name}} will maintain access permissions, review them regularly, remove access promptly when roles change or employment ends, and investigate any suspected unauthorised access.
6.1 Data Sharing, External Providers and Data Processing Agreements
{{org_field_name}} will only share staff personal data where there is a lawful basis, a defined purpose and a need to share the information. Data sharing must be proportionate, relevant, accurate and limited to the minimum information necessary.
Where an external organisation processes staff data on behalf of {{org_field_name}}, such as payroll, HR software, rostering, training, occupational health, pension, cloud storage or IT support providers, {{org_field_name}} will ensure that a written contract or data processing agreement is in place. This must require the processor to process data only on documented instructions, keep data secure, support staff rights, assist with breaches, use approved sub-processors only where permitted, and return or securely delete data at the end of the contract.
Where staff data is shared with another controller, such as HMRC, Disclosure Scotland, the SSSC, the Care Inspectorate, pension providers, insurers, occupational health clinicians, legal advisers, police or safeguarding authorities, the sharing must be documented and justified.
Staff data must not be transferred outside the UK unless appropriate safeguards are in place and the transfer complies with UK data protection law.
7. Data Storage and Security Measures
7.1 Physical Security
- Paper records are stored in locked filing cabinets, accessible only to authorised personnel.
- Restricted office access to HR and payroll areas.
7.2 Digital Security
- Staff data is stored on secure, password-protected systems.
- Multi-factor authentication (MFA) is used for sensitive systems containing personal data.
- Role-based access controls (RBAC) ensure staff only access the data necessary for their duties.
- Regular cybersecurity audits are conducted to identify vulnerabilities.
- Staff must not store staff personal data on personal devices, personal email accounts, personal cloud storage, messaging applications or removable media unless this has been expressly authorised and appropriate security controls are in place.
- Laptops, tablets, mobile phones and portable devices used to access staff data must be password protected, encrypted where available, kept secure and reported immediately if lost or stolen.
- Staff data must not be sent by email unless necessary. Where sensitive or special category data is sent electronically, appropriate safeguards must be used, such as secure portals, encryption, password protection or verified recipient checks.
- Access to HR, payroll, rota, training and care management systems must be removed promptly when a staff member leaves or changes role.
- Audit logs of access to staff systems will be reviewed where there is a concern about unauthorised access or misuse.
- Paper records must not be left unattended in vehicles, public places, service users’ homes or shared areas.
- Staff must follow clean desk, clear screen and secure printing procedures where staff data is handled.
8. Data Retention and Disposal
8.1 Data Retention Periods
{{org_field_name}} will retain staff data only for as long as necessary for the purpose for which it was collected, including employment, payroll, tax, pension, regulatory, safeguarding, insurance, legal, audit and service-continuity purposes. Retention periods will be recorded in the organisation’s retention schedule and reviewed regularly.
Unless a longer or shorter period is justified and documented, the following retention periods will normally apply:
- Recruitment records for unsuccessful applicants – normally 6 to 12 months after the recruitment decision, unless a longer period is required because of a complaint, claim, safeguarding concern or regulatory matter.
- Recruitment records for successful applicants – retained on the personnel file for the duration of employment and then in line with the personnel file retention period.
- Right-to-work evidence – retained for the duration of employment and normally for 2 years after employment ends.
- Personnel file and core employment records – normally retained for 6 years after employment ends, unless a longer period is required for safeguarding, regulatory, legal, pension, insurance or dispute reasons.
- Payroll, PAYE, tax and wage records – retained in line with HMRC and employment law requirements, normally for at least 3 years from the end of the tax year for PAYE purposes, and up to 6 years where required for tax, national minimum wage, accounting, audit or legal limitation purposes.
- National minimum wage records – retained for the statutory period required for the relevant pay reference period.
- Working time records – normally retained for at least 2 years from the date they are made.
- Pension records – retained in line with pension scheme, auto-enrolment and legal requirements.
- SSSC registration, training, competency and supervision records – retained during employment and normally for at least 6 years after employment ends, unless regulatory or safeguarding reasons require longer retention.
- PVG, disclosure and safe recruitment decision records – retained only for as long as necessary to evidence the recruitment or suitability decision, safeguarding compliance and regulatory compliance. Full certificates or detailed disclosure information must not be retained unless necessary, proportionate and authorised.
- Disciplinary, grievance, conduct, capability and investigation records – retained in line with the seriousness of the matter, employment status, legal limitation periods, safeguarding relevance and regulatory requirements. Records involving safeguarding, abuse, misconduct in care, fitness to practise or referral to a regulator may need to be retained for longer than standard HR records.
- Accident at work and health and safety records – retained in line with health and safety, insurance and statutory reporting requirements.
- Occupational health and health surveillance records – retained securely and separately from general HR records. Health surveillance records must be retained for the period required by health and safety law, which may be 40 years depending on the type of surveillance.
- Equality monitoring records – anonymised wherever possible and retained only for as long as necessary for monitoring and reporting purposes.
- IT access logs and security records – retained for a defined period based on security, audit and investigation needs.
- Records relevant to ongoing complaints, claims, investigations, safeguarding matters, SSSC proceedings, Care Inspectorate enquiries, police enquiries or litigation – retained until the matter is concluded and any relevant appeal, limitation or regulatory period has expired.
Records must not be destroyed where they are subject to a live complaint, investigation, safeguarding concern, legal claim, regulatory enquiry, subject access request or instruction to preserve evidence.
8.2 Secure Data Disposal
- Paper records are shredded using a cross-cut shredding process.
- Electronic data is securely erased using industry-standard data wiping techniques.
- Backups containing personal data are deleted according to retention schedules.
A record of confidential destruction will be kept where staff records are securely destroyed, including the type of record destroyed, date of destruction, method of destruction and person authorising destruction.
9. Staff Rights Under GDPR
All staff have the following rights regarding their personal data:
- Right to Access – Employees can request copies of their personal data.
- Right to Rectification – Employees can request corrections to inaccurate information.
- Right to Erasure (Right to be Forgotten) – Employees can request data deletion under certain conditions.
- Right to Restriction of Processing – Employees can request limited use of their data.
- Right to Data Portability – Employees can request their data in a machine-readable format.
- Right to Object – Employees can object to certain types of data processing.
- Right Not to be Subject to Automated Decision-Making – Employees have the right to human intervention in automated HR decisions.
Staff may exercise their data rights verbally or in writing by contacting {{org_field_data_protection_officer_first_name}} {{org_field_data_protection_officer_last_name}}, Data Protection Officer, using the contact details in this policy. {{org_field_name}} will verify the identity of the requester where necessary and will normally respond without undue delay and within one month. This period may be extended by up to two further months where a request is complex or where multiple requests have been received, and the staff member will be informed of the reason for any extension.
Staff also have the right to raise a data protection complaint with {{org_field_name}}. Complaints may relate to how staff data has been collected, used, accessed, shared, retained, deleted or otherwise handled. {{org_field_name}} will acknowledge, investigate and respond to data protection complaints within a reasonable timescale and will explain any action taken. Staff may also complain to the Information Commissioner’s Office.
10. Data Breaches and Incident Response
10.1 Reporting a Data Breach
All suspected data breaches must be reported immediately to the Data Protection Officer (DPO). Examples of breaches include:
- Unauthorised access to personal data.
- Loss or theft of physical or digital records.
- Accidental sharing of confidential data with unauthorised parties.
Contact:
Email: {{org_field_data_protection_officer_email}}
Phone: {{org_field_data_protection_officer_phone}}
10.2 Incident Management
The Data Protection Officer or appointed data protection lead will record and investigate all suspected or confirmed personal data breaches. The investigation will assess:
- what happened;
- what personal data was involved;
- whose data was affected;
- whether special category or criminal offence data was involved;
- the likely risk to the rights and freedoms of affected individuals;
- whether urgent containment action is required;
- whether the ICO must be notified;
- whether affected individuals must be informed;
- whether the Care Inspectorate, SSSC, Disclosure Scotland, police, insurers, commissioners or other bodies must be informed;
- what remedial action is required to prevent recurrence.
Where a breach is likely to result in a risk to individuals’ rights and freedoms, {{org_field_name}} will notify the ICO without undue delay and, where feasible, within 72 hours of becoming aware of the breach. Where a breach is likely to result in a high risk to affected individuals, {{org_field_name}} will inform those individuals without undue delay.
All breaches, including those not reported to the ICO, will be recorded in the organisation’s breach log, together with the reasons for any reporting decision, containment action, lessons learned and follow-up actions.
11. Staff Responsibilities
All staff at {{org_field_name}} must:
- Handle personal data responsibly and comply with GDPR principles.
- Report any concerns about data security breaches or misuse.
- Only access personal data when authorised to do so.
- Complete GDPR training as required by the organisation.
- Keep passwords, devices, records, keys, ID badges and access credentials secure.
- Never share passwords or allow another person to use their system access.
- Never access staff data out of curiosity or for personal reasons.
- Never disclose staff information to colleagues, service users, relatives, friends or external parties unless authorised and necessary.
- Check email addresses, attachments and recipients before sending staff personal data.
- Use approved systems only and avoid storing staff data on personal devices or personal accounts.
- Report lost devices, misdirected emails, unauthorised access, suspected cyber incidents and confidentiality breaches immediately.
- Follow confidentiality, information security, whistleblowing, safeguarding, records management and disciplinary procedures.
- Cooperate with audits, investigations, SSSC enquiries, Care Inspectorate enquiries and data protection investigations where required.
Failure to comply with data protection policies may result in disciplinary action.
12. Monitoring and Continuous Improvement
To ensure ongoing compliance, {{org_field_name}} will:
- maintain a record of processing activities or equivalent data-mapping record appropriate to the organisation;
- maintain a staff data retention schedule;
- carry out periodic audits of staff files, HR systems, payroll records, training records, access permissions and data sharing arrangements;
- review access permissions when staff change role, leave employment or no longer require access;
- review data protection risks when introducing new systems, apps, monitoring tools, biometric systems, electronic call monitoring, rota systems or cloud providers;
- complete a Data Protection Impact Assessment where processing is likely to result in a high risk to individuals;
- review processor contracts and data processing agreements;
- monitor completion of data protection, confidentiality and cyber security training;
- review breach logs, complaints, subject access requests and audit findings to identify learning;
- update this policy following legal, regulatory, ICO, SSSC, Care Inspectorate or operational changes.
12.1 Staff Monitoring and System Access Logs
{{org_field_name}} may monitor use of work systems, emails, devices, electronic care systems, rota systems, access logs and communication systems where this is lawful, necessary and proportionate. Monitoring may be used for information security, safeguarding, service continuity, audit, prevention and detection of misconduct, investigation of complaints, regulatory compliance and protection of people receiving care.
Staff will be informed about routine monitoring through the staff privacy notice, IT policy, electronic communications policy or other relevant policy. Covert monitoring will only be used in exceptional circumstances, where lawful, authorised at senior level, time-limited, proportionate and necessary to investigate suspected serious misconduct, safeguarding risk, criminal activity or serious breach of policy.
Monitoring information will only be accessed by authorised persons and will not be used in a way that is excessive, unfair or incompatible with the purpose for which it was collected.
13. Related Policies
This policy should be read alongside:
- Data Protection and Confidentiality Policy.
- IT Security Policy.
- Whistleblowing Policy.
- Staff Training and Development Policy.
14. Policy Review
This policy will be reviewed at least annually or sooner where required because of changes in legislation, ICO guidance, Care Inspectorate guidance, SSSC requirements, Disclosure Scotland requirements, contractual arrangements, technology, working practices, audit findings, complaints, data breaches or regulatory feedback.
The review will check whether this policy remains accurate, effective and aligned with current law and practice in Scotland.
Responsible Person: {{org_field_registered_manager_first_name}} {{org_field_registered_manager_last_name}}
Reviewed on: {{last_update_date}}
Next Review Date: {{next_review_date}}
Copyright © {{current_year}} – {{org_field_name}}. All rights reserved.